AzureAD with Authpoint Windows Logon App

So we have been testing the Authpoint Logon App with a machine that is joined to AzureAD (not hybrid). Technically, we get it to work. However, you always have to select Other User, and enter "AzureAD{AzureUsername}".

Has anyone tried to do this? And does anyone know if it is or will be supported? We would love to use this in-house as well as proposing it to our clients, but we cant under this circumstance. Its too cumbersome.

~Jon

Best Answer

  • James_CarsonJames_Carson Moderator, WatchGuard Representative
    Accepted Answer

    As far as I'm aware, all that replace the logon experience will run into this issue.

    Using the default logon experience (like how authpoint did when it first launched) severely limits its functionality and logon options.

    -James Carson
    WatchGuard Customer Support

Answers

  • James_CarsonJames_Carson Moderator, WatchGuard Representative

    Hi Jon,

    I believe that the option you're choosing is just appending the users full azureAD username.

    Does it work in the same way as selecting other if you just type in [email protected] as the username?
    (e.g. [email protected])

    -James Carson
    WatchGuard Customer Support

  • Hi James.

    OK, that was really strange!

    If I log in with my email address or with my full name (Nospace and no AzureAD), it lets me in. Same windows profile, same windows (AssureAD) password. But there is no MFA prompt at all! It just bypasses Authpoint entirely.

    If I login with AzureAD\fullname, it prompts for AuthPoint and works.

  • James_CarsonJames_Carson Moderator, WatchGuard Representative

    There was an issue with previous versions of the logon app where you could bypass azure AD -- Can you please check to see if you're using the latest version of logon app?

    Should be 2.4.2.291 for Windows, and 1.9.0.73 for Mac.

    -James Carson
    WatchGuard Customer Support

  • James_CarsonJames_Carson Moderator, WatchGuard Representative

    The way windows is set up for Azure, it's expecting the user's full username ([email protected]) -- so azure AD users will need to log in that way, or by using that procedure you mentioned (via other.)

    You should, however, be seeing the MFA prompt for that.

    If it continues to not show up, I'd suggest a support case so that we can dig into the logs and figure out what's going wrong.

    -James Carson
    WatchGuard Customer Support

  • Yes, the machine I am testing with appears to be behind. I will update and give all of this a try again. Thank you!

  • That resolved both problems! Works fine now. Thanks James!

  • Does Authpoint prevent the use of Hello options? I cant use FP or PIN on the test machine.

  • James_CarsonJames_Carson Moderator, WatchGuard Representative

    Hi Jon,

    Yes, Authpoint prevents using them to sign in because they bypass the login process.

    -James Carson
    WatchGuard Customer Support

  • Hmm. That stinks. Is that true for all MFA, or Authpoint specifically?

  • Thank you James. Happy Holidays.

Sign In to comment.